LNK (Windows File Shortcut) Parser

CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main purpose of the dumplinks.rb is for getting information for each of LNK files. The code is originally coded by davehull. Here is the output of the modified code:

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

[+]Processing:lalameta.lnk

[+]Found CLSID=00021401-0000-0000-C000-0000000000460

lalameta.lnk:

Access Time=Tue Jul2717:16:06+08002010

Creation Date=Thu Jul2201:16:24+08002010

Modification Time=Thu Jul2201:16:24+08002010

Contents of lalameta.lnk:

Flags:

Attributes:

Target file'sMAC Times stored inlnk file:

Creation Time=Thu Jan0107:30:00+07301970.(UTC)

Modification Time=Thu Jan0107:30:00+07301970.(UTC)

Access Time=Thu Jan0107:30:00+07301970.(UTC)

ShowWnd value(s):

Target file'sMAC Times stored inlnk file:

Creation Time=Thu Jan0107:30:00+07301970.(UTC)

Modification Time=Thu Jan0107:30:00+07301970.(UTC)

Access Time=Thu Jan0107:30:00+07301970.(UTC)

[+]checking offset of0x80tofindDLL from metasploit code generator

[+]:<strong>\\192.168.20.2\xyTxzY\CjmX.dll</strong>

The code in bold shows that the DLL that is loaded in the LNK file. Below is the result from p0c provided by ivanlef0u.